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The present invention generally relates to data processing 
systems; particularly relates to security in data processing 
systems; and, especially relates to controlling access to 
resources in data processing systems. 



5 



For a general overview of security in data processing, see, 
for example, gjmone Fi scher-Hueh ner : XT-.geeuj-i fcir a„d Pr-ivaL>. 
Pprothy penning; rT-vPtroo-r-^oh ^ and n^f^ Security 

- 10 i2fi2.. An aspect of security in the data processing field is 

that of controlled access to objects or resources such as data 
files and the like- Such access control is typically 
implemented with reference to attributes of a user seeking 
access. The attributes might include, for example. 
15 subscription status, or clearance to read or write sensitive 
data. A data processing process in which performance of the 
process is dependent on one or more attributes of a user 
seeking to perform the process is typically referred to as a 
task. Examples of such tasks include reading from and writing 
20 to. a classified data file. 

A3?r«i(is, J. Hganev. O. King, r., r.«P«ri ^,, ; La. m. t.«^o»^ j . 
Ol^on: Gepera | T,i2;ed Framework for Accega Control r Towat-d« 
ProWI^YPing t-h.=^ ORGCON Policy. Tn P rQcet>d<T,qe of the ia«->. 
Nati9^al Compnrer Secur-ihv Confere nce. Bali^imore. Oetob^T- 

25 i99l, there is described a Generalized Framework for Access 
Control (GFAC) as shown in Figuxe 1. The GFAC is typically 
implemented in software to implement one or more access 
control schemes in a data processing system comprising a 
central processing unit (CPU) , memory subsystem, and 

30 input/output (I/O) subsystem all interconnected via a bus 
subsystem. The GFAC is typically stored in the memory for 
execution by the CPU. 

Referring to Figure 1, the GFAC comprises an Access Control 
Enforcement Facility (AEF) 10. The AEF 10 resides in a Trusted 
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Computing Base (TCB) 20. The tcb 5n^«= = « ^ ^ ^ 

' -^"^ 20 xs a protected part of the 

data processing system, such as an operating system kernel . in 
operation, the AEF 10 receives an access request 30 from a 
subject 40. The subject 40 is typically manifested by its 
Pro^. The proxy is a task which inherits access rights from 
the requesting subject- 40. i^e subject 40 might for exan^le be 

LTl Z^'^ ^"^^''"^ "'"""^ ^"^^ ------ -i^ht 

include the rxght to read from a file or the right to write to 

a fxie. Access functions such as reading and writing may be 

10 regarded as having different sensitivities- For example, there 

may be more risk associated with a write operation to a file 

than With a read operation, m use, the AEP 10 blocks or 

grants requests 30 for access 100 to an object 110, such as a " 
classified data file. However, the AEP 10 delegates decision 
.15 making to an Access Control Decision Facility (ADF) 50 

Specxfically. on receipt of the request 30, the AEF 10 sends 
the ADF 50 a decision request 80. In response to the decision 
request 80, the ADF 50 generates a decision 90 indicating 

20 llT'^T ""^^ ^"""^ -"^-^ 30. The 

20 ADF 50 refers to stored Access Control Information (ACT) 60 

and stored Access Control Rules (ACR) 70 to make its decision 
The ACI 60 comprises the attributes of the subject 40 and the' 
object 110. The ACR 70 cort^^rises a set of rules defining 
Whether or not access to a given object can be granted to the 
25 subaect 40 based on the attributes of the subject 40. m 
dependence on the decision 90 received from the ADF 50, the 
AEP 10 either grants or denies the subject 40 access 100 to 
the object 110. For simple privacy and security policies, the 
decision process can be performed quickly. However, more 
30 computation is needed when the ACR 70 specifies more 

complicated rules. Accordingly, the decision may be delayed, 
thus limiting system performance. Furthermore, some rules may 
require knowledge of prior accesses to make a decision. This 
brxngs additional delay and complicates implementation of the 
35 OPAC. It would be desirable to avoid such delays and 
complexity. 
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In accordance with the present invention, there is now 
provided a method for controlling access to an object in a 
data processing system, the method comprising: receiving a 
request to access the object from a task; classifying the 
5 access request into one of critical and non-critical classes 
in dependence on stored access control data associated with 
the object and the task; granting the task access to the 

• object and storing data indicative of the access in an access 
log if the access is classified into the non-critical class; 

10 and, in the event that the access is classified into the 
critical class, granting or denying the task access to the 
object in dependence on the contents of the. access log and the 
stored access~coritrol'"'data. 

Preferably, the method comprises, in the event that the access 
15 is classified into the non-critical class, gr«mting or denying 
the task access to the object in dependence on the access 
control data, and storing data indicative of the grant or 
denial in the access log. 

The non-critical class may comprise a plurality of subclasses 
20 and the classifying may comprise classifying the access 

request into one of the subclasses in dependence on the stored 
access control data. In a preferred embodiment of the present 
invention, the subclasses con^rise a first subclass and a 
second subclass. In a particularly preferred embodiment of the 
25 present invention, recovery data is stored in the access log 
if the access is classified into the second subclass. The 
access log may be inspected. to identify bad grant decision 
based on the contents of the access log and the access control 
data and the method may comprise, on detection of a bad grant 
30 decision, rolling back any objects affected by the bad grant 
decision. The rolling back may comprise recovering data 
overvrritten in the object. The inspection may be performed 
periodically. Alternatively, the inspecting may be performed 
during periods in which the data processing system is 
35 otherwise idle. 
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Viewing the present invention from another aspect there is 
now^p.ovi.ea apparatus for controlling access to an o^jLri. 
a ^ta processing system, the apparatus cor^rising- Z 
access control data store fn^ „h • ««PJriBang. an 

5 associ.i-<.ri -.u storing, access control data 

•f associated with the object and t-h^ ^ ^ 

control logic for recJ ^^^""^ ^^^^^^ 

xogxc tor receiving a request to access fch^. «>,^ ^ 
.ro„ . ^^^^^^^^ .O^ZTJZT 

access control logic, th. .cc.s. control aa« .tore ^nlth 

into t..t::e:rt:c:r =i*.r:' 

fh. ^- '^i':icaj. class, for granting the task accass to 

.:he ob„ct ana storing ^t^-inaiiatlva of-thi-acc.ss " tta 

15 zz.^' ^"^^^ ""^"^ ^^^^^^^ co^^rctiat 

aata store, and tha aacislon classifier logic, for in t^ 
ev«.t that tha aces is classifiaa into the ^riti^l cl^^s 
.ranting or denying the task access to the oh,::: !: ' 

control data. The present Invention ext«,as to a data 
process;Lng systen, comprising: a central processor unit- a 
Z:^.LT. -c-= control apparatus as herein r^^Zl ' 
ae.cx.hed connected to the central processor unit and th, 

ToZr- ' ^o-^'er progr«. cod. Means which, when 

loaded .n a processor of a computer syst«.. configures 

L^crlLl." ^^'"^ - ^ — " hereintLre 



30 fts will be appreciated from the following detailed description 

r^'^T^ " ^"--^ ^-vention^iri-ii' r 

cl.ss.fier logxc act. a coarse filter of decision requests 
The access control decision logic subse^ently acts asTf L"' 
filter Of those decision r,<^ests passed to it via the 
35 decision triager. 
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By way of illustration of an advantage of the present 
invention, consider a coit^putational process P desiring access 
to a secure object O, such as a stored data file, for which 
permission to access is needed. Permission might be granted in 
5 real tune immediately before access is desired, as herein 
before described with reference to the conventional GFAC 
system. However, in general, checking and granting permissions 
beforehand limits performance, in preferred embodiments of the 
present invention, access is granted in advance based on 
10 assumptions regarding the permissions P might need. Checking 
permissions after the fact does not maintain security. 
However, such ex post facto checking of permissions allows 

later checks and audits to be perforjiied by" the syst'^/'-Ri^ 

system may perform such audits periodically at defined 
15 intervals. Alternatively, the system may perform the audits 
during otherwise idle moments. Because audits of this nature 
can be performed off-line in otherwise idle moments, 
performance is less impeded. Technic[uea embodying the present 
invention are thus less intrusive than conventional 
20 techniques. Such audits enable forbidden actions produced by 
bad grant decisions to be identified, if changes brought about 
by forbidden actions are recorded, then recovery actions can 
be taken to return objects to desired states. Audit measures 
are generally regarded as sufficient for privacy purposes. 

25 As indicated earlier, the non-critical class may comprise a 
plurality of sub classes. For exan^le, in a particularly 
preferred embodiment of the present invention, there are three 
classes of actions: 1. informational access control; 2. 
immediate access control; and, 3. deferred access control. 

30 Classes 1 and 3 are subclasses of the non-critical class. 
Class 2 is the critical class. 



A Class 1 action simply produces an audit record in the access 
log, but access is always granted. A class 1 action might be, 
for example, an action to read a publicly available document. 
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A Class 2 action involves prior checking of the access control 
data aiid the contents , of the access log before it can- be 
executed. A class 2 action is then permitted only if the 
access control caata and the contents of the access log 
5 indicate that the permission can be granted. Otherwise, an 
exception is raised. A class 2 action might, for exaxnple, be 
write operation to a publicly available document. 

in the case of a Class 3 action, permission need not be 
checked prior to a grant. Instead, permission is granted and 
10 the action is ..corded in the access log. The action can then 
be inspected later, either at a defined interval or during an 
- otherwise idle period, and the quality 6f the grant decision— 
determxned based on the access control data and other accesses 
recorded in the access log. if the inspection reveals that 
15 the access should have not been granted, an alert may be 

issued. The record of such accesses may include recovery data 
that enables changes to objects performed downstream of an 
access allowed via a bad grant decision to be rolled back to 
an acceptable state. For exaii«>le, the recovery data may 
20 include changes made to a file via addition or deletion, or 
overwriting of content or example, a class 3 action might for 
exan^jle, be a read from a classified document. 

The present invention is particularly although not exclusively 
applicable to privacy and data protection. For example, 

25 consider a process that accesses, processes, and discloses 

personal information. To enforce external privacy policy, such 
disclosures are marked towards outsiders as needing an 
immediate access control decision. For others, deferred access 
control might be sufficient. This does not prevent privacy 

30 violations within an enterprise, but it prevents such privacy 
violations producing illegal disclosures of personal 
information to outsiders. 
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Preferred embodiments of the present invention will now be 
described by way of example . only with reference to the 
accompanying drawings, in which: 

Figure 1 is a block diagram of a Generalized Framework for 
5 Access Control (GFAC) ; 

Figure 2 is a block diagram of a data processing system? 

Figure 3 is a logical block diagram of an example of access 
control system embodying the present invention; 

Figure 4 is a flow chart associated with the access control' 
10 system shown in Figure 3 ; 

Figure 5 is another flow chart associated with the access 
control system shown in Figure 3; 

Figxire 6 is a more detailed logical block diagram of the 
access control system shown in Figure 3; 

15 Figure 7 is a logical block diagram of another example of 
access control system embodying the present inventions- 
Figure 8 is a flow diagram representative of multiple tasks 
executing in a data processing system; 

Figure 9 is a flow chart associated with the access control 
20 system shown in Figure 7; 

Figure 10 is another flow chart associated with the access 
control system shown in Figure 7; 

Figure 11 is a further flow chart associated with the access 
control system shown in Figure 7; and, 

25 Figure 12 is yet another flow chart associated with the access 
control system shown in Figure 7 . 
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With reference to Fioure 2 a rt.*. 

::::::: r^:-r 

processing unit (cpui ^nn ir'-t-iseB a central 

c . ^ ^ memory subsvstsm ?9n , 

interconnecting the Ct»D 2on *->, '="*^system 230 

memory subsystem 59n 
t/O Bubsysteni 210 ODera^^r,« . "^system 220, and the 

i-y.^ Operating system software 240 is stoi-^r. 



Ler 
20. 



Xo^i»ra!^l' Proco.stng .yste«> into 

Aogacaj. arrangement in which access ^« t-v, 
15 task 270 executina on . ^'^^ °b3«ct 250 by a 

^sjwecucxng on the data Droc©c5c^„r^ 

by an access controller 280. """^^^^""^ ^^"^^ controlled 

Referring to Figure 4, on recelr.^ r,.F 

cont^ller 280 el,s3ifles. « bloc^ 302 
20 Of crlticl non-=rlti=.l ^"'=° 
.oce« control a!ta 285 T ^^^^^^^-^^ - stored 

Class th, f " classified into the non-critl«l 

oject at block 3 03 and stores data indicative of th« 

ciassified into the critical class =- 

at block 305, grants at block 3 07 ;r aL : l^^^roll.. 280, 

task access to the object 250 in / ''"^ ^"^^ 

i-T, ocject 250 m dependence on the contents 

30 aoo^s controlLr 280 be located in a TCB of the d^tf' 
Pr=cessins system. ^ indicated earlier, the TCB Is a 

within a Kernel portion of':,::::!^ ^^^^o."-' ^ ^ 



Empf .2eit:(]6/03/2003 17:52 



Enpf .nr.:736 P. 015 



06/03 '03 DO 17:53 FAX +41 1 724 89 51 

CH9-2002-0050 



IBM ZURICH IPD 
9 



EPOl PATENTS 



@016 



Referring now to Figure 5, in a particularly preferred 
embodiment of the present invention, in the event that, at 
block 3 02, the access is classified into the non-critical 
class, then, at block 3 08, the access controller 280 
5 determines whether to grant or deny the task 27 0 access to the 
object 250. in dependence on the access control data 285. if, 
at block 308, the access controller 280 decides to grant 
access at block 303, then the access controller 280 stores a 
record to this effect is recorded in the access log 290 at 

10 block 304. Similarly, if at block 3 08, the access controller 
280 decides not to grant access, at block 309, then the access 
controller 280 stores a record 'to" this' effect in the access 
log 290. The simple test performed at block 308 based on the 
access control data 285 effectively "triages" non-critical 

15 access control decisions so that processing power caji be 

focussed instead on more con^lex decisions based on past event 
recorded in the access log 290. 

Referring now to Figure 6 in a preferred embodiment of the 
present invention, the access controller 280, comprises access 
20 control logic 3 00 for receiving a request to access the object 
250 from the task 250. Decision classifier logic 310 is 
connected to the access control logic 3 00, the access control 
data 285, and the access log 290 for classifying the access 
request into one of critical and non^-critical classes in 

25 dependence on the access control data 285, If the access is 
classified Into the non-critical class, the decision 
classifier logic 310 grants, the access, control logic 300, the 
task 270 access to the object 250 and stores data indicative 
of the access in the access log 290. If the task is classified 

30 into the critical task, the decision classifier logic passes 
the recjuest to access control decision logic 320. The access 
control decision logic 320 is also connected to the access 
control logic 300, the access log 290, and the access control 
data 285. On receipt of the critical access request, the 

35 access control decision logic 320, grants or denies the task 
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270 access to the object 250 Xn depead^nce on the cont^ts of 
the access log 290 and theaccess control data 285. 

The non-critical class may be divided into multiple 
subclasses. Referring now to Figure 7 in a particularly 
IZl^T^ -^o^-ent of the present invention, the access 
control logxc 300 acts as an AEF. Similarly, the decision 
classxfxcation logic 310 acts as a decision triager (ADT, and 
the access control decision logic 320 acts as an access 
decxsxon facility (ADF) . The access control data 285 comprises 
10 Access control Information (ACI) 330 a«H ^ «iprises 

/7vr-ot ^ ■^■'O Access Control Rules 

(ACR) 360 stored in the memory 220. The ACl 330 is 

substantially as herein before described v^ith-re-f er^crto — 
Figure 1. in operation, the aef 300 receives an access request 

15 T ^-^---^ taslc 270 may^ a 

15 proxy for a subject in the data processing system, such as a 

user or a process. The task 270 makes the request because it 

aesires access to the ob^©n^ 9t;n T^i. 

the AEF -^nn . response to the request, 

the AEF 300 generates a decision request. The decision request 

20 33 0 to sort the decision request into one of the 
aforementioned three classes of access; namely: 

1- informational access control ; 

2. immediate access control; and, 

3 . deferred access control . 

25 He:re, Class 2 is the critical class. Classes 1 and 3 are 

subclasses of the non-critical class. The ACl 330 associates 
the Object 290 with a set of access classes. The ACl 330 also 
associates the task 270 with a set of access classes, m 
typxcal implementations of access control, the ACR 360 and the 

30 ACI 330 corresponding to the subject and the object are used 
to check whether or not access to the object may be granted to 
the subject. The ACR 360 is divided into two sets of rules 
Specifically, the ACR 360 comprises decision rules 340 and 
triage rules 350. The triage rules 340 are used by the ADT 310 

35 xn combination with the ACI 330 to classify access requests 
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into one of the aforementioned classes. The decision rules 350 
are used by the ADF 320 in combination with the ACI 330. 

If the ADT 310 assigns the decision request to Class 1 or 
Class 3. a corresponding default decision is sent from the ADT 
5 310 back to the AEF 300. A corresponding access record is 
simultaneously stored in the access log 290. 

If the ADT 310 assigns the decision request to Class 2, then 
the ADT 310 forwards the decision request to the ADF 320 for 
further resolution. The ADF 320 uses the contents of the 

10 access log 290, the ACI 330, the decision rules 350, and the 
decision request to arrive at a decision. The ADT 320 retuTOs — 
the decision. to the AEF 300. The decision may be a grant 
decision or a signal to raise an exception. The exception 
decision may additionally trigger recovery actions . Examples 

15 of recovery actions will described shortly. 

In a particularly preferred embodiment of present invention, 
the ADT 310 is implemented as a lightweight process and the 
ADF 320 exerts more effort in arriving at the decision. The 
ADF 320 may choose to evaluate the contents of the LOG 390 
20 without stimulus if, for example, . system utilization is low. 

The ADT 310 can be employed to perform make relatively 
non-critical decisions herein before described with reference 
to Figure 5, block 308, leaving the ADF 320 to handle only the 
more critical decisions. The ADF 320 is not therefore burdened 
25 with non-critical activities. Thus, performance of the access 
controller 280 is greatly iinproved. 

In Figure 8, there is shown an example of an privacy access 
scenario relating to objects in an enterprise. In the 
scenario, there are two tasks, Tl and T2, operating on three 
30 objects Ol, 02 and 03. OS is a publicly accessible resource. 
Write operations directed to o3 are Class 2, immediate access 
control, because they have the potential to publicly expose 
sensitive data. Ol and 02 are both internal resources of the 
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enterprise. Thus, 01 and 02 demand non-critical classification 
xn Classes 1 or 3, deferred and infor^.i^nal access contL. 
respectively. Only Ol contains sensitive data such as personal 

ADT 310 determines that the attention of the .^F 320 is 
required. The access rules in this example specify that data 
escposed publicly surfi ^ . ^ 

tainted L . ' . contained in 03. may not be 

10 !ddit *^,r^^^*^^-^ - that contained in Ol. m 

Tnfo!:::' '^!/^^-^^ ^^^^ — spe^fy that 

™e Tl " ""^"'"^ '° ""^^ ^ this 
exan^le, Tl writes to 02 after reading from Ol, where 

Z^'llT^'T^ °2 is potentially tainted " 

15 Z, T.ZT""^ °' -^-'^-tll^ -ads fro. potentially 

15 tainted 02. .^en T2 attempts to write to 03. The ABF 320 
detects via the contents of the access log 290 that t2 has 
read from 02 after Tl has written to 02 having previously read 
fro. 01. The 320 thus detects that there is potential for 

20 T . ' "'"^ sensitive data contained in ol. 

20 Accordingly, the ADT 320 detei^ines that access to 03 by T2 
should be denied, m a preferred embodiment of the present 
invention, th. AOP 320 raises an exception to prevent further 
disclosures, m a particularly preferred embodiment of the 
present invention, Tl and T2 can be rolled back based on 

ITT/^'""'^ '^'^ °' " potentially 

tainted by the contents of 01. 

The present invention permits deferral of access control 

trshoT.' """^ " computational standpoint 

30 TH- r sensitive information is about to be leaked. 

30 This ^advantageously. avoids performing such confutations in 

real-time. 

T/oTT ""^T: ^^^^^^ 1^ invention herein 

before described with reference to Figure 7 win now described 
with reference to the flow chart provided in Figure 9 
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At block 400, an access request arrives at the AEF 300 from 
the task 270. 

At block 410 the AEF 3 00 sends a decision request based on the 
access request to the ADT 310. On receipt of the decision 
5 request, the ADT 310 classifies the access corresponding to 
the decision request into one of the aforementioned three 
classes. 

At block 420, if the access is detemiined to be in Class 1, 
informational access control, then, at block 430, a record of 
10 the access is saved in the access log 290. At block 440, a 

decision to grant the access is then sent back "to the~AEF SOo " 
from the ADT 310, If the access is not determined to be in 
Class 1, then the test at block 450 is performed. 

At block 450, if the access is determined to be in Class 3, 
15 deferred access control, then, at block 460, a record of the 
access is saved in the access log 290 together with recovery 
data. Again, at block 440, a decision to grant the access is 
then sent back to the AEF 300 from the ADT 310. If the access 
is not determined to be in Class 3, then, at block 470, the 
20 decision request is forwarded from the ADT 310 to the ADF 320. 
If the access is not determined to be in Class 1 or Class 3, 
then, by default, the access is determined to be in Class 2, 
immediate access control . 

On receipt of the decision request at block 470,. the ADP 320 
25 evaluates the. request based on the access requested, and the 
contents of the access log 290, If, at block 480, the ADT 320 
determines from the evaluation that access should be granted, 
then, at block 440, the ADT 320 issues a decision to this 
effect to the AEF 3 00. If, at block 480, the ADT 320 
30 determines from the evaluation that access should be denied, 
then, at block 490, the ADT 320 sends a decision to this 
effect back to the AEF 3 00. 
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At block 500, on receipt of a grant decision from the ADP 320 
and the ADT 310, the AEP 300 grants the task 270 access to the 
object 250, At block 510, on receipt of a deny decision froxn 
the ADP 320, the AEF 300 denies the task 270 access to the 
5 Object 250. In the event that the AEP 300 is in receipt of a 
deny decision from the ADF -320, additional action may be 
required, such as aborting the task 270 and raising an 
exception or rolling back all actions of the task 270 and the 
dependencies of such actions based on stored recovery data.. 

10 Referring to Pigxxre 10, in another embodiment the present 
invention, the non-critical class is not subdivided into 
.subclasses, instead, the test herein before described with 
reference to Figure 9, block 420- is replaced with test simply 
to determine whether the access is critical or non-critical 
15 see Figure 10, block 425. If the access is non- critical 
then, at block 435, a record of the access is saved in the 
access log 290 together with recovery data, if the access is 
critical, then, at block 470, the decision is passed to the 
ADP 320 as herein before described with reference to Figure 9 



@021 



20 



As indicated earlier, recovery data may be recorded in the 
access log 290. The recovery data permits the data processing 
system to be rolled back to a secure state, m other words, 
the recovery data permits the data process system to reset 
25 Itself to the state it enjoyed prior to a bad access grant 
decision being made. In particularly preferred embodiment of 
the present invention, the recovery data recorded in the 
access log 290 comprises change data indicative of changes 
made-to objects When- the objects are accessed. Such changes 
30 may be additive, such as adding data to files. Alteinatively, 
such changes may be subtractive, such as deleting data from 
files. The changes include overwriting data in files it will 
be appreciated that such changes are generally associated with 
write operations, m a particularly preferred embodiment of 
35 the present invention, each time such changes are made, data 
indicative of the difference in object content before and 
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after an access was allowed based on a potentially bad grant 
decision. By recording such difference data, object content 
prior to the access can be restored in the event that the 
potentially bad grant decision is determined to be actually 
5 bad. 

Referring to Figure 11, in a preferred embodiment of the 
present invention, the access log 290 is periodically checked 
to determine if bad grant decisions have been issued, 
necessitating remedial action. Specifically, at block 600, a 
10 count is checked by the access controller 280. if the coxxnt is 
not reached, then, at block 610, the count is incremented and 
tested again, -If however the^count is reached, then, at block 
62 0, the access log 290 is inspected by the ADF 32 0 to 
determine, as herein before described with reference Figure 9 

15 blocks 470 and 48 0, if any bad grant decisions have been 
issued. If the ADF 320 determines, at block .63 0, that a bad 
grant decision has been issued since the last inspection, 
then, at block 650, the ADT 320 rolls back the affected 
objects based on the recovery data stored in the access log 

20 290. The access log 290 is then inspected again at block 620 
to determine if any other bad grant decisions were made since 
the last inspection, xf the ADT 320 determines at block 630 
that no bad grant decisions were made since the last 
inspection, then at block 640, the count is reset, and 

25 retested at block 600. 

Referring to Figure 12, in another preferred embodiment of the 
present invention, the access log 290 is checked during 
otherwise idle moments in the data processing system. 
Specifically, at block 605, the access controller 280 checks 

30 the state of the CPU 200. If, at block 615, the access 

controller 280 determines that the CPU 200, then the check at 
block 605 is performed again after a predetermined period. If, 
at block 615, the access controller 280 determines that the 
CPU 200 is free, then blocks 620, 63 0, and 65 0 are performed 

35 as herein before described with reference to Figure 10. Once 
all bad grant decisions recorded in the access log 290 since 
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th« last inspection have been detected and restoration 
measures accordingly taken, the test at block 605 is repeated. 

5 herf'T the.present invention ha.e been 

5 herein before described with refoT-«T„.« 

„ - - ^3.T:^a reference to cdnputer program 

code for configuring the CPU 200 «T,ri i-i. Program 
of a ^ ^ne CPU 2O0 and the memory subsystem 220 

of^a data processing system to perform the functions of the 
access controller 280, the access control data 285, and th^ 

10 ZTJ l """' appreciated however, that, . in oLr 

10 e^cdxments of the present invention, one or more of such 

functions may be performed at partially by hardwired logic or 

similarly dedicated circuitry. Equally it will . 
that- . _ - «3u«A-i.y, It will be appreciated 

that the data processing system may be embodied in a single — 

15 ZT " " Pl---lity of distributed units interconnected via 
15 data communications network. 

L^"^; ibe^ l^erein by way of example of the present 

xnvention is a method for controlling access to an object in a 
data processing system comprises: receiving a request to 
20 Into" ^"^^ <=l"3ifying the access reguest 

stored" non-critical classes in depende^e on 

tisk o associated with the object and the 

task, granting the task access to U.e object and storing data 
indicative of the access in an access log if the access is 
25 thHc ""^^ non-critical class; and, in the event that 

l^Lll l: " '^^^^'''^^ Class, grafting or 

denying the task access to the object in dependence on the 
contents Of the access log and the stored access control data. 
It will be appreciated that many implementation of such a 
method are possible. 



EmPf.zeit 106/03/2003 17:54 



Empf .nr.:736 P.023 



06/03 '03 PO 17:55 FAX +41 1 724 89 51 IBM ZURICH IFD EPOl PATENTS @|024 

CH9-2002.0050 .17 
CIAIMS 

1. Method for controlling access to an object in a data 
processing, systenir the method comprising: 

receiving a request to access the object from a task; 
5 classifying the access request into one of critical and 

non-critical classes in dependence on stored access control 
data associated with the object and the task; 

granting the task access to the object and storing data 
indicative of the access in an access log if the access is 
10 classified into the non-critical class; and^ 

in the event that the access is classified into the 
critical class, granting or denying the "task "access to the 
object in dependence on the contents of the access log and the 
stored access control data, 

15 2. Method as claimed in claim 1, comprising, in the event 
that the access is classified into the non-critical class, 
granting or denying the task access to the object in 
dependence on the access control data, and storing data 
indicative of the grant or denial in the access log. 

20 3. Method as claimed in claim 1 or claim 2, wherein the 

non-critical class comprises a plurality of subclasses and the 
classifying comprises classifying the access request into one 
of the subclasses in dependence on the stored access control 
data. 

25 4. Method as claimed in claim 1 or claim 2, wherein the 
stJbclasses comprise a first subclass and a second subclass. 

5 . Method as claimed in claim 4, comprising storing recovery 
data in the access log if the access is classified into the 
second subclass. 

30 S. Method as claimed in claim 5 comprising: 



EmPf.zeit:06/03/2003 17:55 



EmPf.nr.:736 P.024 



06/03 03 DO 17:56 FAX +41 1 724 89 51 IBM ZURICH IPD ... EPOl PATENTS 

CH9-2002-0050 

ei^.^.^'^^T''^^ '''^■^^ ^'^^^i^y - bad grant 

^ecxsxon based on the .cont«.ts of the access log L the 
access control data; and, 

on detection of a bad gra«t decision, rolling back anv 
5 pb3ect3 affected by the bad grant decision. 

7. Method as claimed in claim 6, wherein the rolling back 
conprises recovering data overwritten in the object. 

perfo^inrtr ''"'""^ ' ^'^^ ' comprising 

performing the inspecting periodically. 

10 9 Method as Claimed in any of claims "6 to-8,-coi^Hsing— 
performing the inspecting during periods in which ^e 
processing system is otherwise idle. 

10 Apparatus for controlling access to an object in a data 
processing system, the apparatus comprising: an access octroi 

IZ r^^^ ^^^^^^ ^™ -- associated with ^ 
Object and the task; an access log; access control logic for 

c™i!/i::-" ^^"^^ ^^^^^ - task; 'decision 

Lc^^^ ::nt :rLr::or'^^ access contra logic, the 

20 store, and cha aceoss I09, for classifyina 

20 the access recast into on, of critical and non-critical 

JlZTliU ^^^^^^ °" '"^ — ' -"-1 -d. in th, 

event that the access is classified into the non-critical 
class for wanting the tasK access to the object and storing 
aata ^dxcatlv, of the acceas in the access lo,; and. acces^ 
25 control decision logic connected to the access cont^i™ 
the access log, the access control data store, and the 
aecxsion classifier logic,' tor. in the e^„t that the acce^. 
IS class.f.ed into the critical class, granting or denying the 

30 acMsT'^ " - =-tents Z 

30 access log and the access control data. 

11. Apparatus as claimed in claim 10, wherein, in use, the 
decision Classifier logic, in the event that the access is 
classified into the non-critical class, grants or denies the 
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task access to the object in dependence on the contents of the 
access control data, and stores data indicative of the grant 
or denial in the access log. 

12. Apparatus as claimed in claim 10 or claim 11, wherein the 
5 non-critical class comprises a plurality of siobclasses and the 

decision classifier logic, in use, classifies the access 
request into one of the subclasses in dependence on the access 
control data, 

13, Apparatus as claimed in claim 10 or claim 11, wherein the 
10 subclasses coioprise a first subclass and a second subclass. 



14- Apparatus as claimed in claim 13^ wherein the decision 
classifier logic, in use, stores recovery data in the access 
log if the access is classified into the second siibclass. 

15. Appara.t:u6 as claimed in claim 14, wherein the access 
15 control decision logic, in use, inspects the access log to 
identify a bad grant decision based on the contents of the 
access log and the access control data, on detection of a bad 
grant decision, effects a roll back of any objects affected by 
the bad grant decision. 

20 IS. Apparatus as claimed in claim 15, wherein the rolling 
back comprises recovering data overwritten in the object. 

17. Apparatus as claimed in claim 15 or claim 16, wherein the 
access control decision logic, in use, performs the inspection 
periodically. 

25 18. Apparatus as claimed in claim 15 or claim 16, wherein the 
access control decision logic, in use, performs the inspection 
during periods in which the data processing system is 
otherwise idle. 
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19 D^ta proc,«ing syst«, comprising: , central processor 

to 18 ^o^t^a to th. central processor unit and the „,e«ory. 

20. Computer program olement =o«prisl«, computer program cod, 
5 means which, whan loadaa In a oi-o,-.-™ 

iuaoea an a processor of a computer system. 

rllSmTlt r™ ' --"^ - Cl.ime.=^in^, 
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i ABSTOACT 

A method for controlling access to an object in a data 
processing system comprises: receiving a reqpiest to access the 
object from a task; classifying the access request into one of 
5 critical and non-critical classes in dependence on stored 
access control data associated with the object and the task; 
granting the task access to the object and storing data 
indicative of the access in an access log if the access is 
classified into the non-critical class; and, in the event that 
10 the access is classified into the critical class, granting or 
denying the task aqcess to the object in dependence on the 
contents "of "tfie "access iog^fcuid'the stored access control data, 
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